CISA Added Critical Vulnerabilities in Cisco Products and CrushFTP to KEV

Cisco vulnerabilities

In a pressing announcement, the Cybersecurity and Infrastructure Security Agency (CISA) has issued a high-priority alert for federal agencies to patch two critical vulnerabilities found in Cisco products and one in the widely used file transfer tool, CrushFTP. The urgency of the matter stems from active exploitations by state-backed hackers, underscoring the severity of the threat landscape.

State-Sponsored Breach: ArcaneDoor Campaign Targets Cisco Firewalls

The revelation that a state-backed hacking group has been exploiting two zero-day vulnerabilities (CVE-2024-20353, CVE-2024-20359) in Cisco Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) devices paints a grim picture. Since November 2023, the ArcaneDoor campaign has been actively breaching government networks with a focus on espionage activities.

Cisco’s discovery of these flaws underscores the relentless pursuit of new attack vectors by sophisticated adversaries. The fact that the attackers likely developed and tested exploits for months before deployment suggests a calculated and well-planned operation.

CrushFTP Flaw Exposes Organizations Across Industries

Adding to the pressure, CVE-2024-4040 in the widely-used CrushFTP file transfer service poses an immediate risk. If exploited, unauthenticated attackers could potentially steal sensitive data or completely compromise systems.

Security experts’ concerns stem from two factors: the widespread use of CrushFTP and the alarmingly slow patch adoption rate. Many vulnerable instances remain online, leaving enterprises across various industries as tempting targets for opportunistic cybercriminals.

CrowdStrike’s observation of this exploit being used in targeted attacks, linked to intelligence-gathering activity by politically motivated actors, emphasizes that the threat is already active.

Research firm Censys discovered over 2,750 CrushFTP exposures within the United States alone, accounting for nearly half of the global exposures.

CISA’s Directive and Deadline

CISA’s inclusion of these vulnerabilities in the Known Exploited Vulnerabilities catalog reflects the serious risk they pose, prompting a rare urgent deadline for patches. Federal agencies have been given until May 1 to secure their systems, a deadline that underscores the critical nature of these vulnerabilities and the need for immediate action.